Websense has made ten predictions about security/vulnerability trends for 2010. There’s no crystal ball, so we’re not talking about malicious innovation, but mostly a recognition that certain nefarious activities are gaining traction and will expand in the near future. Of particular interest to OSNews readers: exploitations of Windows 7 and IE 8 vulnerabilities, the beginning of the end of the Mac’s reprieve on security issues, and increasing targeting of mobile devices (beyond Rickrolling your iPhone, presumably). Read on to learn OSNews 2010 security predictions.It’s touched upon briefly in this article, but I think one of the most serious “security” issues for 2010 won’t be the exploitation of a technological security flaw per se, but rather an abuse of the social contract. The past few years have seen an explosion of social networking and crowdsourcing, which has enriched our online lives tremendously. But anytime something becomes important to people, there’s never a shortage of scumbags who will try to make a buck by stealing, hijacking or kidnapping it. In this case, it’s the trust in the content of the Web 2.0 services that’s going to be under attack.
You already can’t trust that your Twitter followers are human beings, or that the people you’re cruising on Craigslist are, for that matter. In most of these cases, the worst consequence will be seeing unwanted ads for shady products or services, though there’s always the chance you could be roped into a more elaborate con. And there’s always been the chance that when you’re reading reviews of a Bed and Breakfast that a bunch of them were written by the proprietor and his family using fake names. But increasingly the fraud is becoming mass produced and fully or partially automated. Just as in the late 90s email was at the tipping point of being unacceptably full of spam for many people, social networks and crowdsource-type online resources are in danger of being choked with so much illegitimate content that they can’t be trusted. CAPTCHAs will only get us so far. I fear that by the end of 2010, you won’t be able to trust most online reviews for anything.
I’m actually somewhat optimistic about the traction that classic social engineering-based scams such as phishing are going to have moving forward. Of course, the sophistication of modern spam filters keep most of these come-ons from even reaching peoples’ inboxes, and every year that goes by, the average internet user is a little more sophisticated about recognizing the signs. Though there will probably be small incremental improvements in the tools that scammers use to make a phishing scheme look legit, I don’t think there will be a lot of growth, and in the mean time, users are only becoming less likely to fall for them.
Similarly, I think that the ability for OS and software makers to harden their systems will outpace crackers’ ability to come up with new exploits. It will take a decade or more for the existing botnets and vulnerable systems to cycle through, and no system will ever be completely immune to a concentrated attack, but the kind of wholesale, slash-and-burn exploitation will become less widespread over time. The 2000s will prove to have been the salad days for bot herders and other mass-market malicious hackers. I actually don’t agree with the article that Macs or mobile devices will see any substantial exploits in 2010. (And no, jailbroken iPhones with default passwords don’t count). Likewise, though Windows will continue to be the main target for crackers and criminals of all stripes, their job will get incrementally harder over the coming years.
The perversion of the legitimate market as a launchpad for scams, mentioned in the context of scammers buying ads rather than hijacking them is one of the oldest tricks in the book. Scammers have been buying ads in newspapers, magazines, and TV as long as those media have existed, and have used telephones and the mail to perpetrate their fraud. Ad space is particularly inexpensive right now, so the economics are temporarily favorable. Though I don’t know of any out-and-out frauds to date, shady people occasionally get their ads though onto OSNews, and it’s usually the vigilance of the readers who bring it to our attention and get us to stamp it out. Of course, Craigslist is a minefield of criminals and mischief-makers posting what look like legitimate ads intended to trick or defraud people. There are very few technical countermeasures to these kids of fraud. Only educating people to be aware and vigilant will have much effect. And although nobody ever went broke betting on people’s stupidity, the average person’s susceptibility to being tricked by yesterday’s con always decreases over time, just trough familiarity. Remember that in the early days of cinema, audiences were scared that the train depicted on the screen was going to hit them. 100 years later, you’d be hard pressed to find anyone, no matter where you went in the world, who would be fooled by a movie screen. People aren’t smarter, just more familiar.
So my security predictions for 2010 are a combination of optimism and pessimism. Let’s hear yours in the comments.
And the conclusion websense comes to from that list?
You need to buy our product. WOW! What are the odds of THAT happening???
Chrome OS negates the need, and even the capability of anti virus software, and backup software.
Do you honestly think Norton and McAfee are going to go down quietly?
In Chrome OS the system is read-only, the user space is encrypted, and the web does not run as the user. Updates are silent, automatic, and the system is checksummed and will restore itself if things don’t add up.
The traditional virus simply does not work in this environment. Traditional business models around this don’t fit either.
XSS (cross site scripting) attacks, social engineering and just plain old scams are the biggest threats going forward. Why even bother with a virus, when you can spam the web with millions of fake sites charging people for fake problems. Not least the hooha over the companies who have been milking Facebook gamers with old fashioned opt-outs.
The fact of the matter is that you don’t need viruses to steal information and to make money anymore; people are quite willing to hand it out free to any schmuck anyway.
I don’t think it’s anything new. There was just as many willing to blindly hand over money before. It’s just easier to find them all now with the popularity of voluntary registration through one of three social websites or the Unexecpected-Email IQ Test.
(not so many showing up to the dwarwinism voting poles in the past)
I think I’m going to hit 100% accuracy. Invite me on your tv show!
* I predict that security companies will decry some terrible vulnerability in a widely used software product that doesn’t actually exist and they will later retract their statement.
* I predict microsoft will be blamed for something they didn’t do, and no one will retract their statement.
* I predict that anti virus companies will continue to scare the living crap out of consumers needlessly so that they can keep their fear-based revenue.
If you look at all of the hype around computer security, and you compare it to the level of FTE (Full time equivalents) – you would quickly come to understand that it is the most hyped category of software ever. Unlike say business software, productivity software, it has an almost exponential amount of hype to actual effectiveness ratio.
Do your part.
Don’t buy into it.
Morglum
(My Canadian $.02)
and now it seems that the user has become the major flaw in the system.
As we saw with conficker a big problem is how many people are running XP without updates turned on. Only 1% of infections took place in the US, most were pirated XP systems outside Western countries.
A lot of phishing scams also wouldn’t have worked if people had upgraded their browser to IE8 of FF3.
Malware through piracy is also a major issue. When you have people voluntarily running programs from illegitimate sources it is no longer a system issue. Expect some nasty Mac trojans in the future as more exploit this attack vector.
I’m optimistic about security in 2010 as more people upgrade to Windows 7 which like Vista has many security improvements over XP and also forces a browser upgrade.
As your own post indicates with the talking points you raise, the major flaw in the system is Windows. The user to some extent also, yes, but really it is mostly a problem of users on Windows.
On Windows (or Macs for that matter), users are not permitted to know how the system works. On other systems, users are fully able to inspect how the system works, and the small percentage of users who can use that permission to inspect the system are also able to effect changes to the system that are in their interests. Since a few users can make sure that the system is good for them, then all users benefit. In this way one can have end-user systems with no malware. There is no other (known) way to achieve this.
Any system that insists that the inner workings of the system are secrets from the end users will be susceptible to trojans. Period.
Happily, as far as trends go, the dominance of Windows on the desktop is waning. Apparently (according to some) it is now down to 80% of new systems:
http://broadcast.oreilly.com/2009/12/linux-regaining-netbook-market…
Edited 2009-12-06 22:45 UTC
There is one other known method, but it doesn’t exist as an implementation yet – a AI administrator. Effectively having a computer-based entity act as the administrator in a Google-Search fashion. But then, you can get into the whole iRobot kind of thing at that point too…when the computer decides the user is not smart enough to be allowed to use the computer…
Haven’t read the article, but very much agree that Windows is in decline for various reasons:
1. Microsoft looses MS Office dominance, then they will loose Windows dominance too; the two are closely tied. With ODF and MS’s failure to keep people de-facto standardized on MS proprietary formats (e.g. DOC/XLS/PPT/etc and OOXML) they will loose (however slowly) MS Office Dominance. This leaves users open to moving to alternative platforms (Mac, Linux, Unix, etc.) again.
2. More and more people are satisfied with a computer that just does e-mail, web, and some simple document editing ala Google Docs or something similar. Chrome OS is perfect for this market segment, but there will be others as well. This will eat away faster at MS Office and Windows dominance; but need not be tied since this segment is not a big MS Office using group any way – they probably use to use MS Works before MS killed it, and likely have migrated to Google Docs in its absence.
3. MS looses either or both MS Office and Windows dominance then the company as a whole will be in trouble given that a lot of their finances are based on the behemoth profits raked in by Office and Windows. Everything else is either in the red or barely makes a profit; with the majority being deeply in the red with no sight of profit.
How did this get here?
Edited 2009-12-04 23:18 UTC
Illiteracy makes people stupid, easy to manipulate… same goes for computer/ technology illiteracy.
Short term cure: NONE
Long term cure: education
Edited 2009-12-05 14:43 UTC
We’ve now had SMTP fail (trusting anyone to send mail to anyone without any verification). So now we have spam.
We (still) have something similair with BGP the most important routing protocol running the internet.
We had problems with DNS, where people were able to create cache-entries and redirect traffic that way.
We had problems with Certificate Authorities messing up, with giving out certificates for things (mostly used for https) they shouldn’t and not verifying enough. We’ve had them use old algoritms which shouldn’t be used anymore.
We very recently had a renegotiation-flaw in the SSL-protocol which makes the protocol completely useless when certain parts of the protocol are enabled because they allow man-in-the-middle attacks.
As Thom mentioned in a way, the human being is the weakest link and most of them are still stupid.
But if technology like protocols fails or old algorithms are used, not even the professionals can secure them selfs, how can we expect the professionals to secure internet for the normal users ?
Maybe it will be worse, someone will find a new flaw in an algoritm used by many encryption systems.
I don’t know.
You can count on encryption weakening. Attacks never get worse; only better. TLS shows weakness which will only become easier to make user of hense WPA2/AES is now the wireless minimum. It used to be WEP before it was broken in every way possible. GSM is falling over too though phone companies are less interested in talking about that insecure investment.
I’d say the question isn’t if one of the currently strong forms of encryption will be broken in the next year but what will replace it as the next minimum standard.
I understanding that Chrome OS is going to use “sandboxing” of all applications to protect the system from being hacked. I just wonder if that concept could be extended to Linux in general? I admit to not being a programmer, and don’t know how technically difficult this would be. People smarter than me surely have considered it, but apparently it hasn’t been done.
I would think it could be accomplished with Linux and the BSDs, mainly because those OSs come with their applications and the source code for these apps. So rewriting everything to work with sandboxing should be feasible. But it would probably be impossible with Windows, OSX or any other commercial system unless you could convince users to throw out all their old apps and trade them in for new updated ones. Or am I wrong about this?
chroot jail
It’s a little more like ChromeOS is making use of what is already available in Linux or other *nix like platforms.
chroot – mentioned by the first response. I’d add SELinux if you want strict control over what programs are running and what they can do. Read-only root partition I’ve not heard of on a desktop but it’s been done. One could put the boot partition and a storage partition on read-only disk; recommended for your security databases like tripwire record.
The hash’d root system verification and automatic re-imaging is probably the one new thing and then, I don’t know how much new code would be needed unless they actually wrote it into the boot loader.
Now, the overall planned implementation is not how anything more general purpose than an ebook reader has been delivered yet. I think that’s the real creativity in reusing many long available options with one or two new additions.